Consumer Financial Protection Bureau Independent Audit of Selected Operations and Budget

Transcription

1 Consumer Financial Protection Bureau Independent Audit of Selected Operations and Budget December 16, 2016 KPMG LLP Suite K Street, NW Washington, DC 20006

2 Table of Contents EXECUTIVE SUMMARY... 1 BACKGROUND... 4 OBJECTIVES, SCOPE, AND METHODOLOGY... 5 Objectives and Scope... 5 Methodology and Approach... 5 CFPB s Budget Process... 6 CFPB s Asset Management Process... 9 CFPB s Frequent Traveler Stipend Program (FTSP) Process Corrective Actions Taken to Resolve the FY2015 Audit Report Findings and Recommendations Finding and Recommendations Appendix A Additional Improvement Observations Appendix B CFPB s Management Response... 17

3 KPMG LLP Suite K Street, NW Washington, DC EXECUTIVE SUMMARY December 16, 2016 The Honorable Richard Cordray Director Consumer Financial Protection Bureau 1700 G Street NW Washington, DC Dear Mr. Cordray: This report presents the results of our work conducted to address the performance audit objectives relative to the Consumer Financial Protection Bureau (hereinafter referred to as CFPB or Bureau ). Our work was performed during the period July 12, 2016 to December 16, 2016, and our results, reported herein, are as of December 16, We conducted this performance audit in accordance with Government Auditing Standards issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and recommendations based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and recommendations based on our audit objectives. As specified by CFPB, our audit objectives were to evaluate CFPB s (1) budget process relative to its policies and procedures established over budget formulation, execution, and monitoring; (2) asset management process relative to its policies and procedures over managing and maintaining accountability of CFPB assets; (3) frequent traveler stipend program process relative to its policies and procedures over issuing annual stipends to employees for extended overnight travel while on temporary official business; and (4) corrective actions taken to resolve the findings and recommendations included in CFPB s 2015 Independent Audit of Selected Operations and Budget, which was performed by KPMG. Page 1 KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative ( KPMG International ), a Swiss entity.

4 As our report further describes, we identified the following finding as a result of the work performed to meet our audit objectives: A. Adherence with asset management policies and procedures needs to be improved and certain additional controls need to be adopted. We recommend that CFPB: 1. Implement controls designed to ensure that barcoded asset tags are affixed to all servers upon acquisition and that they can be physically accessed for scanning purposes during the inventory process. 2. Update inventory observation-related standard operating procedures to provide guidance on how to document the results of the annual inventory, including (1) the date the observation(s) was performed, (2) the number and type of discrepancies identified (e.g., items that were found to be damaged or defective, as well as assets observed to be in use that were not included on the inventory tracking spreadsheet, and (3) disposition of the discrepancies identified, including any corrections or adjustments made to the inventory tracking spreadsheet. 3. Reinforce key objectives and procedures in the inventory observation process to help ensure that: a. All assets within CFPB s possession are safeguarded and can be readily located using the inventory tracking spreadsheets; b. Appropriate documentation is maintained regarding the performance of the inventory observations; c. Inventory-related discrepancies are resolved; and d. Necessary updates are made to inventory listings. 4. Provide training to applicable personnel regarding annual inventory policies and procedures. Through our procedures, we determined that the prior year audit s control deficiency has been partially remediated. Draft procedures and options available to ensure positive destruction of storage that contains personally identifiable information has been completed, but finalization of the procedures and the Chief Information Officer s approval were in progress and not started, respectively, as of the corrective action plan s September 30, 2016 target completion date. We note, however, that CFPB management provided a Page 2

5 copy of the final CFPB Media Sanitization and Destruction Standard, which was signed by the Acting Chief Information Officer in November, In addition, we identified certain areas for improvement, as presented in Appendix A Additional Improvement Observations. We determined that these observations are not reportable findings. However, understanding these observations may be useful to CFPB in strengthening the budget and frequent traveler stipend program practices. This performance audit did not constitute an audit of financial statements in accordance with Government Auditing Standards or U.S. Generally Accepted Auditing Standards. KPMG LLP was not engaged to and did not render an opinion on the CFPB s internal controls over financial reporting or over financial management systems (for purposes of Office of Management and Budget (OMB) Circular No. A-123, Management s Responsibility for Internal Control, dated December 21, and OMB Circular No. A- 123, Appendix D, Compliance with the Federal Financial Management Act of 1996, dated September 20, 2013). This report is intended solely for the information and use of the Consumer Financial Protection Bureau, and is not intended to be, and should not be, used by anyone other than these specified parties. Sincerely, 1 OMB Circular A-123 was updated on July 15, 2016 and retitled Management s Responsibility for Enterprise Risk Management and Internal Control. Among the major changes were the requirement for enterprise risk management, with initial implementation timeframes starting in Our 2016 audit applied the 2004 Circular A-123 in effect at the time of our performance audit. Page 3

6 BACKGROUND The Consumer Financial Protection Bureau (CFPB) was established on July 21, 2010 under Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act, Public Law No ) as an independent bureau within the Federal Reserve System (Federal Reserve). The Bureau is an Executive agency, as defined in Section 105 of Title 5, United States Code, with a mission to make consumer finance rules more effective, consistently and fairly enforce those rules, and empower consumers to take more control over their economic lives. To accomplish its mission, the CFPB seeks to educate consumers, enforce Federal consumer financial laws, and gather and analyze information to better understand consumers, financial service providers and consumer financial markets. The CFPB has a diverse mandate and has assumed roles that were previously covered by seven different agencies responsible for rulemaking, supervision, and enforcement relating to consumer financial protection. The agencies which previously administered statutes transferred to the CFPB are the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Federal Trade Commission, and the Department of Housing and Urban Development. To accomplish its mission, the CFPB developed and is continuing to build a workforce with a broad and diverse depth of public and private industry experience that is spread across the country, with its headquarters in Washington, D.C. and regional offices in Chicago, New York City, and San Francisco. The CFPB is organized into six primary divisions: Consumer Education and Engagement Works to empower consumers with the knowledge, tools, and capabilities they need in order to make better-informed financial decisions by engaging them in the right moments of their financial lives, while addressing the unique financial challenges faced by four specific populations. Supervision, Enforcement, and Fair Lending Ensures compliance with Federal consumer financial laws by supervising market participants and bringing enforcement actions when appropriate. Research, Markets, and Regulations Conducts research to understand consumer financial markets and consumer behavior, evaluates whether there is a need for regulation, and determines the costs and benefits of potential or existing regulations. Legal Division Ensures the Bureau s compliance with all applicable laws and provides advice to the Director and the Bureau s divisions. Page 4

7 External Affairs Manages the Bureau s relationships with external stakeholders and ensures that the Bureau maintains robust dialogue with interested stakeholders to promote understanding, transparency, and accountability. Operations Division Builds and sustains the CFPB s operational infrastructure to support the entire organization and hears directly from consumers about challenges they face in the marketplace through their complaints, questions, and feedback. OBJECTIVES, SCOPE, AND METHODOLOGY Objectives and Scope As specified by the CFPB, the objectives of our performance audit were to evaluate CFPB s: 1. Budget process relative to its policies and procedures established over budget formulation, execution, and monitoring; 2. Asset management process relative to its policies and procedures over managing and maintaining accountability of CFPB assets; 3. Frequent Traveler Stipend Program process relative to its policies and procedures over issuing annual stipends to employees for extended overnight travel while on temporary official business; and 4. Corrective actions taken to resolve the findings and recommendations included in CFPB s 2015 Independent Audit of Selected Operations and Budget. Methodology and Approach We conducted our performance audit in accordance with the performance audit standards in Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and recommendations based on our audit objectives. Our responsibility is to provide findings and recommendations based on the results of our audit. We believe that the evidence obtained provides a reasonable basis for our finding and recommendations based on our audit objectives. Our methodology consisted of the following four-phased approach: 1. Project Initiation and Planning We met with CFPB key personnel to (1) reaffirm CFPB s and our collective understanding of the performance audit objectives and scope, (2) highlight our methodology and approach to meet the audit objectives, (3) request certain information from CFPB needed to perform our audit, and (4) gain an understanding of the status of corrective actions plans related to our prior year findings and recommendations. Page 5

8 2. Data Gathering We interviewed key CFPB personnel to obtain an understanding of processes, controls, and available documentation for each audit objective. For each audit objective, we (1) researched leading practices, (2) obtained and reviewed relevant documentation, (3) selected samples for detailed testing and further analysis, when appropriate, and (4) documented the work performed and results of our audit procedures. 3. Analysis Using Established Criteria Our evaluation criteria was developed from a variety of sources, including requirements and technical guidance published by the Office of Management and Budget (OMB) and used by CFPB as leading practices 2 at the time of our audit (e.g., OMB Circular No. A-123, Management s Responsibility for Internal Control; OMB Circular No. A-123, 3 Appendix D, Compliance with the Federal Financial Management Improvement Act of 1996; OMB Circular No. A- 11, Preparation, Submission and Execution of the Budget); and CFPB s policies and procedures. 4. Finding and Recommendations The results of our audit work were the basis for our audit finding and recommendations. The finding and recommendations were formally communicated to CFPB management through our Notice of Findings and Recommendations process. We met with CFPB management to discuss our finding, recommendations, the content of the auditor s report, and steps related to the final reporting process. The sections below present an overview of each of the audit objectives and the key procedures performed with respect to each area. CFPB s Budget Process Pursuant to the Dodd-Frank Act ( the Act ), the CFPB is funded principally by transfers from the Federal Reserve System, up to a limit set forth in the Act. In addition, pursuant to the Act, the CFPB is also authorized to collect and use, for specified purposes, civil penalties collected from any person or entity in any judicial or administrative action brought under federal consumer financial law. During fiscal years 2015 and 2016, the CFPB s annual transfers from the Board totaled approximately $485 million and $564 million, respectively. The CFPB budget process consists of budget formulation (including budget submission and approval), budget execution, and budget monitoring (including reporting). The CFPB and the Federal Reserve have entered into an inter-agency agreement for the continued funding of the operations of the CFPB as set forth in Section 1017(b) of the Dodd-Frank Act. Under this agreement, the Federal 2 While not required to comply with OMB regulations, CFPB uses OMB requirements and guidance as indicators of leading practices. 3 See footnote 1. Page 6

9 Reserve will transfer funds quarterly to the CFPB based on notification by the Director of the amounts needed. The annual budget formulation process begins approximately 18 months before the beginning of the fiscal year in which the budget will be executed. This is a collaborative effort between the CFPB s Office of the Chief Financial Officer (OCFO) and CFPB divisions and their offices. To facilitate a standardized and consistent budget formulation process, the OCFO has developed policies and procedures, including templates for gathering relevant data. The program or division is required to support the amounts requested and link to the CFPB goals set by the Director. The CFPB s Operations Division is responsible for coordinating activities for budget formulation across the Bureau. Working in collaboration with other CFPB divisions, the OCFO has primary responsibility for developing the budget (including staffing estimates) consistent with statutory requirements, performance goals, and CFPB priorities. The CFPB Director has final approval authority over the budget. Once the annual budget is approved by the Director, it is distributed internally, communicated to OMB (but not subject to approval by OMB), and posted on the CFPB website. To execute its budget, CFPB exercises administrative control of funds through several measures. A financial plan is developed for each division and distributed at the beginning of each fiscal year. Within the financial plan, each division is allocated a target staffing headcount and personnel and non-personnel funding for the fiscal year. Divisions are expected to adhere to their financial plan allocations and to work collaboratively with the OCFO to request any additional funding and/or staffing if needed throughout the year. The OCFO has established policies and procedures for the approvals of requisitions and commitments related to CFPB s funds. To process budgetary transactions and enforce fund controls, CFPB has entered into an inter-agency agreement for accounting services with the U.S. Department of the Treasury s Bureau of the Fiscal Service. Accounting services provided to CFPB include recording financial transactions, such as budget authority, allocations, collections, accounts receivable, commitments, obligations, accruals, accounts payable, disbursements, and journal entries. The Bureau of the Fiscal Service s automated accounting systems provide the budgeting and funds control at various organizational and spending levels, which are established at the request of the customer agency. To complement these fund controls, CFPB has established a number of additional monitoring controls, such as monthly budget execution summary reports, quarterly OCFO reviews, and the mid-year budget review. In addition, the OCFO has established policies and procedures to Page 7

10 perform a quarterly accrual analysis of obligations of $100,000 or greater to determine if goods and services were received. The CFPB has established and maintains an Operating Reserve to protect the Bureau s ability to carry out its authority and ensure the stability of its mission, programs, and ongoing operations in the event of unanticipated and unbudgeted one-time funding needs. This reserve is intended to provide a source of funds internal to the CFPB for unexpected situations, such as sudden increases in expenses, one-time unbudgeted expenses, unanticipated delays in funding, and uninsured losses. The CFPB s Operating Reserve Policy has been implemented in concert with its other governance and financial policies and is intended to support the goals and strategies contained in those related policies and in strategic and operational plans. Additionally, maintenance of such a reserve is expected to minimize or eliminate the need to request fund transfers from the Board of Governors of the Federal Reserve (Board) outside the predetermined schedule, which could place an undue burden on the Federal Reserve System. Our methodology and approach for evaluating the budget process included the following procedures: Interviewing CFPB key budget personnel within the individual division/program offices and the OCFO regarding formulation, execution, and monitoring; Reviewing the policies and procedures for budget formulation, execution, and monitoring; Obtaining a further understanding of the budget formulation, execution, and monitoring process through discussions with management of the OCFO and select CFPB divisions; Reviewing documents used to support the budget formulation process; Comparing the CFPB budget formulation, execution, and monitoring process to the applicable requirements and guidance in OMB Circular A-11 as an indicator of leading practice; Reviewing documents to support the fact that the fiscal year 2016 budget was discussed with the program offices, was reviewed and approved by CFPB s Director, and was widely communicated throughout the organization; Obtaining an understanding of the budget execution and monitoring process through discussions with OCFO management and select CFPB offices; Reviewing CFPB s support for its mid-year budget review, and Reviewing CFPB s use of the Operating Reserve during fiscal year 2016, including its conformance with the Operating Reserve Policy. Our procedures did not identify any findings related to CFPB s budget process. However, as a result of our procedures, we reported an observation for CFPB s consideration in further enhancing its budget process, Page 8

11 specifically as it relates to its Operating Reserve Policy, which is included in Appendix A Additional Improvement Observations. This observation is related to our 2016 audit of selected operations and budget and is presented for the purpose of finalizing the results of the audit. CFPB s Asset Management Process CFPB has established asset management policies for both information technology (IT) and non-it assets. CFPB s IT and non-it policies together provide the responsibilities and procedures pertaining to the tracking and physical inventory of CFPB-owned assets. These policies and procedures outline the process by which physical inventories are to be performed, newly-acquired assets are to be tagged with a barcode, assets are tracked in a spreadsheet, and lost or stolen assets are disposed of. During the annual wall-to-wall inventory process, inventory specialists are equipped with a hand-held barcode scanner and a listing of barcodes organized by building, floors, and hardware models. The handheld barcode scanner stores an Excel spreadsheet file of all property in the accounting records and is updated based on the scanned information. Once the inventory process is complete, the stored information is aggregated into the Master Inventory Spreadsheet. A Facilities Office (Facilities) Asset Program Manager (APM) oversees non-it asset management program activities, including creating and maintaining property inventory records in a tracking spreadsheet. The Facilities APM ensures compliance with regulatory and other mandates, including initiation of annual inventories and coordinating excess property requests requiring intergovernmental cooperation. The Technology and Innovation (T&I) Office Infrastructure Operations Asset Management Team has developed asset management standard operating procedures (SOP) for managing and maintaining CFPB s IT end user assets. These procedures describe inventory and accountability controls for tracking and recording assets throughout the asset lifecycle. The procedures are used by T&I Asset Management Team members (at both headquarters and regional offices), who are responsible for and tasked with managing CFPB s IT end user assets. End user assets are to be managed and tracked using Remedyforce. T&I server assets are managed and tracked by the Infrastructure Engineering team using an excel spreadsheet. Our methodology and approach for evaluating CFPB s asset management process included the following procedures: Conducted a kickoff and interviews with CFPB key asset management personnel within the Office of Facilities (Facilities) and the T&I Office; Reviewed the policies and procedures for asset management; Page 9

12 Obtained an understanding of the asset management process through discussions with both T&I Office and Facilities Office management; Reviewed documents used to support the asset management process to help us identify risks (inherent, fraud, and control) in the process and the controls designed to mitigate those risks; Selected and tested a sample of asset additions to determine CFPB s conformance with its asset management-related policies and procedures; Selected samples and performed observation procedures of both a book-to-floor and a floor-tobook nature to determine the accuracy of CFPB s asset inventory listings; and Obtained and reviewed the CFPB s June 30, 2016 quarterly submission of the Inventory Tracking Log (inventory procedure results) for reference and comparison purposes in conjunction with our own bookto-floor and a floor-to-book inventory observation test procedures. Refer to Finding A in the Finding and Recommendations section of this report for our finding and recommendations related to our asset management process audit objective. CFPB s Frequent Traveler Stipend Program (FTSP) Process CFPB employees who travel frequently on temporary official business are eligible to receive an annual stipend if they spend more than 50 nights in eligible temporary duty travel (ETDY) status. The travel period for the program is January 1 through December 31 of each year. Approved travel stipend payments are made through the payroll process, with lump sum payments to eligible employees included in the payroll for hours worked during the fourth pay period in the year following the travel period. To be considered for the annual stipend employees are required to (1) complete, obtain supervisory approval of, and submit to the OCFO Travel Section a Frequent Traveler Stipend Claim Form detailing the purpose of the travel, the ETDY travel dates, and the number of qualifying nights of travel, and (2) maintain copies of the claim form and related documentation and comply with other travel-related CFPB travel policy recordkeeping requirements. Employees supervisors are required to review, approve, and sign Frequent Traveler Stipend Claim Forms to ensure that lodging nights claimed are in accordance with the Frequent Traveler Stipend Program policy and that the travel was performed as claimed. The OCFO Travel Section performs a review of the claim forms and supporting documentation, interprets and applies CFPB s travel policy and frequent traveler stipend program policy requirements, and provides the information necessary for payments to be processed. The OCFO may request or review additional documentation or information (e.g., travel vouchers) to support the claim or perform post-payment audits, as considered necessary. Page 10

13 Our methodology and approach for evaluating CFPB s FTSP process included the following procedures: Conducted a kickoff meeting and interviews with CFPB key FTSP personnel within the OCFO Travel Section; Reviewed the policies and procedures for the FTSP; Obtained an understanding of the FTSP process through discussions with members of the OCFO Travel Section; Reviewed documents used to support the FTSP process to help us identify risks (inherent, fraud, and control) in the process and the controls designed to mitigate those risks; and Selected and tested a sample of FTSP claim forms to determine conformance with CFPB's travel stipend policies and procedures Our procedures did not identify any findings related to CFPB s FTSP process. However, as a result of our procedures, we reported in Appendix A Additional Improvement Observations an observation for CFPB s consideration in further enhancing its FTSP process. This observation is related to our 2016 audit of selected operations and budget and is presented for the purpose of finalizing the results of the audit. Corrective Actions Taken to Resolve the FY2015 Audit Report Findings and Recommendations CFPB developed corrective action plans to address the prior year recommendations included in the 2015 Independent Audit of Operations and Budget report. 4 Our methodology and approach for the corrective actions process included the following procedures: Reviewed the finding and related recommendations included in the 2015 Independent Audit of Operations and Budget, which was defined as deficiency in internal control; Obtained and reviewed the corrective action plans (CAP) developed by CFPB for the recommendations mentioned above; Reviewed documentation supporting the CFPB actions specified in the CAP and how the actions taken address the prior year findings. The table below depicts the status of the prior year recommendations based on the results of our 2016 performance audit procedures: 2015 Finding 2015 Finding Type 2016 Status Information Privacy policies and procedures need to be updated Control Deficiency Partially Remediated as of September 30, 2016 We noted Independent Audit of Selected Operations and Budgets, KPMG, December 18, Page 11

14 2015 Finding 2015 Finding Type 2016 Status that the data cataloguing corrective actions had been completed as of the CAP s September 30, 2016 planned correction date. However, the corrective actions related to data destruction had not been completed and implemented as of September 30, Draft procedures and options available to assure positive destruction of storage that contains personally identifiable information had been completed, but finalization of the procedures and Chief Information Officer approval were in progress and not started, respectively. (We note that CFPB management provided a copy of the final CFPB Media Sanitization and Destruction Standard, which was signed by the Acting Chief Information Officer in November, 2016.) Page 12

15 Finding and Recommendations Our 2016 performance audit identified one internal control deficiency 5 finding, which is presented below. We discussed the results of the performance audit with CFPB s CFO and audit focus area leads. We held an exit conference on December 15, A. Asset management annual inventory policies and procedures need to be reinforced and certain additional controls need to be adopted Background: Periodic inventories are not only a sign of good stewardship of public funds and assets, but they are a required and intrinsic component of CFPB s Asset Management policy 6. Annual inventories are conducted at a specified time during each fiscal year and involve a full inventory of all assets identified within the Bureau. CFPB s asset tracking system is reliant on a set of unique CFPB barcoded asset tags that are placed on each item. During the annual inventory process, CFPB manually scans the barcoded asset tag affixed to every item within the facility. The results are then uploaded into a tracking spreadsheet, and items are grouped by asset types (e.g., facilities and technology and innovation). Condition: As a result of test procedures performed over the CFPB s FY 2016 inventory process, we noted the following conditions: 1. Controls over the identification and documentation of IT-related inventory items are not operating effectively to provide reasonable assurance that all IT assets are properly identified, tagged, and logged accurately onto the inventory tracking spreadsheet. From a sample of 63 items selected for testing, we noted 7 inventory recordkeeping discrepancies, including instances where an asset tag was missing from an asset, multiple asset tags with different numbers were affixed to the same asset, assets were traceable to the inventory spreadsheet using their serial numbers but the asset tag numbers affixed to the assets were not recorded on the inventory spreadsheet, and an asset that was in service had been inadvertently deleted from the inventory spreadsheet. 5 Government Auditing Standards, 2011 Revision Paragraph In performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct (1) impairments of effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) noncompliance with provisions of laws, regulations, contracts, or grant agreements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. 6 CFPB Service Desk Asset Management Standard Operating Procedure Section 3.1 (Purpose of the Inventory). Page 13

16 In addition, we noted 215 network items that were identified by serial numbers on the fiscal year 2016 inventory tracking spreadsheet; however, there were no asset tag numbers associated with these assets on the spreadsheet. 2. CFPB s IT and non-it asset management policies and procedures lack guidance related to how the results of the annual inventory, including discrepancies noted and adjustments made to the inventory tracking spreadsheet, are to be documented. Consequently, upon inspection of CFPB s fiscal year 2016 inventory observation results, we were not able to determine: a. When the inventory observations were performed; b. The number and type of discrepancies found (e.g., assets that could not be located or additional items found during the inventory that were not included on the inventory tracking spreadsheet); and c. Actions taken to resolve any discrepancies noted. Criteria: CFPB Service Desk Asset Management Standard Operating Procedure - Section 3.1 (Purpose of the Inventory). United States Government Accountability Office (GAO) Standards for Internal Control in the Federal Government Principles (September 2014) Section 10.03, Design of Appropriate Control Activities and Section 12.02, Documentation of Responsibilities through Policies. Cause and Effect: The CFPB s inventory process is manually-intensive in nature and prone to errors that may not be prevented or detected and corrected on a timely basis. CFPB s inventory policies and procedures do not include specific policies and procedures to direct staff members on the documentation requirements over the performance of the annual inventory, including identifying discrepancies found during the inventory process, and corrective actions taken as a result of the annual inventory. If not corrected, these control deficiencies may prevent the Bureau from effectively managing and safeguarding its inventory assets. Recommendations: To improve controls over the asset management and annual inventory processes, we recommend that CFPB: a. Implement controls designed to ensure that barcoded asset tags are affixed to all servers upon acquisition and that they can be physically accessed for scanning purposes during the inventory process. b. Update inventory observation-related standard operating procedures to provide guidance on how to document the results of the annual inventory, including (1) the date the observation(s) was performed, Page 14

17 (2) the number and type of discrepancies identified (e.g., items that were found to be damaged or defective, as well as assets observed to be in use that were not included on the inventory tracking spreadsheet, and (3) disposition of the discrepancies identified, including any corrections or adjustments made to the inventory tracking spreadsheet. c. Reinforce key objectives and procedures in the inventory observation process to help ensure that: All assets within CFPB s possession are safeguarded and can be readily located using the inventory tracking spreadsheets; Appropriate documentation is maintained regarding the performance of the inventory observations; Inventory-related discrepancies are resolved; and Necessary updates are made to inventory listings. d. Provide training to applicable personnel regarding annual inventory policies and procedures. Page 15

18 Appendix A Appendix A Additional Improvement Observations Our current audit procedures did not identify any findings related to the budget or Frequent Traveler Stipend Program (FTSP) processes. However, as a result of our procedures, we are reporting certain observations for CFPB s consideration in further enhancing these processes. These observations are related to our 2016 audit of selected operations and budget and are presented for the purpose of finalizing the results of that audit. Our additional observations are as follows: 1. Budget Function: We reviewed documentation related to the CFPB s use of the Operating Reserve during fiscal year 2016 for conformance to the Operating Reserve Policy. CFPB could benefit from introducing enhancements to the Operating Reserve Policy in the form of additional clarity in the guidance related to (1) the frequency of recalculating the amount of the reserve from year to year, and (2) documentation requirements when the reserve is used. Specifically, CFPB may consider: a. Developing Standard Operating Procedures (SOP) complementing the existing policy to more clearly specify the required frequency of and the method and inputs for calculating the level or range of the amount of the reserve, including the Bureau s considerations in developing the relevant inputs associated with the current year s or near-future budgetary resources. b. Developing an SOP to complement the existing policy that specifies the documentation requirements related to (i) support for the case-by-case justifications for requests to utilize operating reserve funds, and (ii) the form or method for documenting the Director s approval of the use of the reserve when its use is expected to increase the Bureau s approved annual budget. 2. Frequent Traveler Stipend Program: We reviewed CFPB s eligibility determinations resulting in fiscal year 2016 FTSP payments being made to eligible employees for conformance to the FTSP policy. CFPB could benefit from introducing improvements over the FTSP policies and procedures. Specifically, CFPB may consider: a. Implementing physical and electronic access controls around the OCFO Travel Section s FTSP claims review spreadsheet to help ensure that only authorized individuals with a valid need can access the document and enter or change information. b. Issuing an SOP that complements the existing Frequent Traveler Stipend Program policy to more clearly describe the level of review expected of the employees supervisors when reviewing and approving an employee s Frequent Traveler Stipend Program claim form prior to its submission to the OCFO Travel Section for processing. Page 16

19 Appendix B Appendix B CFPB s Management Response Management Responses We provided a draft of this report to CFPB management for review and comment. CFPB s responses to our finding and recommendations are included in a letter from CFPB s Acting Chief Financial Officer dated December 16, CFPB s responses were not subjected to the auditing procedures applied in the performance audit objectives relative to CFPB; accordingly, we expressed no opinion on these responses. Page 17

20 Appendix B

21 Appendix B